On 05/11/2018 21:50, Wiktor Kwapisiewicz wrote:
Have you considered an alternative approach to email verification? For
example just sending an e-mail (probably encrypted) with a one-time
verification link?
Yes, we considered this option. But we can not be sure that user uses
secure email system, and this link can not be read by somebody else.
For now, using Google’s login system seems to be the most reliable and
secure solution. Our backend works on Google App Engine, and thus we
don’t have our own login-password system and, accordingly, it is
impossible to crack it unless you hack Google. Yes, of course Google can
find out the public certificates associated with Google accounts, but
any other user in our system can do this.
That way non-Google users wouldn't be excluded.
> (Actually this approach
> would work for Google and non-Google users alike).
You can register a Google account with any email address. Simply,
instead of creating an account on our service (another password that
needs to be saved), you create an account on Google, or use an existing one.
It doesn't seem to me that every internet site should have its own
separate login-password system, in most cases it is better to use the
existing secure solution.
> Sending an encrypted e-mail additionally verifies that the user controls
> the key in question.
But you can easily send email with any address in 'from' field.
It does not mean you really control this email address.
Best regards,
Viktor Ageyev
CEO/CTO, Cryptonomica.net
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
